IRILL - Research and Innovation on Free Software Discuss X.509 Certificate Authority stores, known-peer datasets, and secret key and local certificate management across debian.
Do you maintain a package that offers a service or a client that needs an X.509 certificate or needs to verify such a certificate from a peer? Do you administer systems running services that need X.509 certificates or need to verify their clients? Do you use any client that needs to verify a peer's certificate, or offer one of its own? http://bugs.debian.org/608719 marks the latest part of a continuing discussion about management of X.509 Certificate Authority and Peer stores across debian. As problematic as X.509 is, it seems unlikely to go away in the near future, and debian's current approach (while less scattered than it could be) seems to sow confusion among packagers, sysadmins, and users alike. Moreover, we don't seem to have clear, well-documented best practices or policy for how we want to see questions of X.509 certificate authentication addressed at a system-wide level. I'd like to try to get as many stakeholders as possible together in person to talk about what the right way to handle this is, and plot a course for wheezy+1.